ACL(访问控制列表)的应用原则:
标准ACL,尽量用在靠近目的点
扩展ACL,尽量用在靠近源的地方(可以保护带宽和其他资源)
方向:在应用时,一定要注意方向
ACL分类
#创建基于命名的基本acl
acl name ssh-kongzhi 2001
rule 5 permit source 192.168.1.0 0.0.0.255
rule 10 deny
#在vty接口应用acl 2001
user-interface vty 0 4
acl 2001 inbound
authentication-mode aaa
protocol inbound all
场景二:(如下图,主机一不能ping通http服务器,但是可以访问)
#在接口的上应用acl
interface GigabitEthernet0/0/2
traffic-filter inbound acl 300
acl name kongzhi 3001
rule 5 permit icmp source 6.6.6.6 0
rule 10 deny icmp icmp-type echo
rule 15 permit tcp tcp-flag ack
rule 20 deny tcp
#应用到公网出口上
interface GigabitEthernet0/0/1
ip address 4.4.4.4 255.255.255.0
traffic-filter inbound acl name kongzhi
#第一:配置时间段(由于不支持"23:0 to 6:30",所以写成下面这种形式)
time-range jiaoshi-deny 00:00 to 6:30 daily
time-range jiaoshi-deny 23:00 to 23:59 daily
time-range xuesheng-deny 00:00 to 8:30 working-day
time-range xuesheng-deny 22:00 to 0:0 working-day
#第二:创建配置高级acl
acl number 3001
rule deny ip source 192.168.21.0 0.0.0.255 time-range jiaoshi-deny
acl number 3002
rule deny ip source 192.168.22.0 0.0.0.255 time-range xuesheng-deny
#第三:配置流分类(对匹配ACL 3001和3002的报文进行分类)
traffic classifier d_jiaoshi
if-match acl 3001
traffic classifier d_xuesheng
if-match acl 3002
#第四:配置流行为(动作为拒绝报文通过)
traffic behavior d_jiaoshi
deny
traffic behavior d_xuesheng
deny
#第五:配置流策略(将流分类d_jiaoshi与流行为d_jiaoshi关联,组成流策略,这里为了方便直接将后面应用到一个接口上,将上面两个对应关系进行了合计)
traffic policy all_deny
classifier d_jiaoshi behavior d_jiaoshi
classifier d_xuesheng behavior d_xuesheng
#第六:在接口上应用流策略
interface gigabitethernet 0/0/2
ip address 114.114.114.1 255.255.255.0
traffic-policy all_deny outbound